People who complain about certifications really get me wound up - especially when they hold no certifications of their own but do hold positions where they can wield power against people who have them. I suppose it could be argued that some people can buy their certifications, but on the whole a lot of hard work is required to pass exams and it is on this very topic that my tale begins.
Being a current MSc student, we have an email group that many current and past students belong to. Occasionally the emails make me reflect on the differing opinions – none of which offers a way forward or a solution. It leaves me feeling that here are a lot of whiners and not enough winners when it comes to security training, experience and certifications.
This train of thought started with an email beginning with "This isn't meant to be a personal attack against those who have their CISSP :0)". The smiley makes everything better in this case, right? So with the pleasantries out the way what follows is a rant about the fact the writer is interviewing people with CISSP accreditation for a very technical position! When I last looked, the CISSP exam never professed to be about being able to conduct a penetration test and knowing about the current vulnerabilities. It was about ten domains that covered all aspects of security and the exam aimed to create people that had well rounded security knowledge as opposed to polarised viewpoints on security.
The email highlights that the writer has interviewed a number of proud CISSP candidates and the shocking fact that they have ZERO knowledge of security related topics. If the interviewee is a security generalist and the interviewer is a focused security specialist, how is this a balanced view? My case is proven when in conclusion he makes a sniping reference to the ISC and a topical security lapse that was made by the ISC itself with link to the article (http://www.theregister.co.uk/2004/06/03/isc2_survey_snafu/ ). He parted with a observation that you are only put forward for a security role if you have a CISSP on your CV and equates this to the MCSE scenario of the nineties.
I was left pondering what such a negative email meant to achieve. As expected, current CISSPs defended the certification and the ISC and, in the process, I learnt a few things about why the CISSP originated. In a nutshell, US insurance companies adopted it as method of gauging the skill of IT staff to apply a risk rating. More CISSPs - more knowledge, lower risk. No CISSPs - higher risk. I think there are arguments for both sides but certifications do go some way to giving people an idea of the person you are and show that you have made the effort to study and take an exam.
But no solution was offered. The issue kept being raised that, whilst training has a place to provide grounding for working with security products, it does not equip the majority of students enough to make the jump from the book into a production environment because that requires experience.
One solution could be to make security training more applied and more practical. Maybe it should deliver the theory by going through the manual and then apply the knowledge to real world scenarios.
If we are really honest, even after all this time, the security industry still consists of a lot of smoke and mirrors with a little magic to boot. Sometimes it is not what you know but what you can prove to your customers. There is a choice to be made if the industry is to get better. We do need whiners but how about also suggesting a better way to deliver the winners?
Lannon Rowan is principal security consultant at Trend Network Services